Re: Spamd variation
On 6/12/07, Soner Tari <[EMAIL PROTECTED]> wrote: Probably a simple shell script could do the job, which would look at SpamAssassin logs to find out the spam score and IP address, and insert into spamd blacklists as necessary. The only caveat is that threshold spam score for blacklisting should be kept very high to prevent inserting false positives into spamd blacklist. In my experience spamd is very successful, but SpamAssassin catches some spam e-mails that spamd misses occasionally. (After all, OpenBSD maillists also use both, see http://www.openbsd.org/mail.html). Please correct me if I am wrong, but I believe the OP's point was missed in the other replies. I also would like to know what people at misc@ think about such a scheme. I think you summed it up; no modifications to spamd are necessary, your post-spamd filters can modify blacklists directly with a little ingenuity and some script-fu. Remember, it's unix. Modular. Pieces. Simplicity. DS
Re: Spamd variation
>From what I understand from the post, you are suggesting a scheme similar to what snort2pf is doing for snort and pf. In layman terms, when snort issues an alert, snort2pf informs pf about the attacker's IP, and pf takes an action. AFAIK, this is currently the only way to convert snort from an IDS into an IPS on OpenBSD (snort inline works only on Linux, if I'm not mistaken). Similarly, when SpamAssassin or DSPAM determine that an e-mail is spam, (again in layman terms) they inform spamd about the spammer IP and then-after that IP is handled by spamd. Please beware this scheme does not require any change to spamd functioning. And if implemented, it could save processing resources of the system, because the spammers which are not in any blacklist could be dynamically added to the spamd blacklists and could not reach content scanners like SpamAssassin and DSPAM, which are much more expensive in terms of processing resources. Probably a simple shell script could do the job, which would look at SpamAssassin logs to find out the spam score and IP address, and insert into spamd blacklists as necessary. The only caveat is that threshold spam score for blacklisting should be kept very high to prevent inserting false positives into spamd blacklist. In my experience spamd is very successful, but SpamAssassin catches some spam e-mails that spamd misses occasionally. (After all, OpenBSD maillists also use both, see http://www.openbsd.org/mail.html). Please correct me if I am wrong, but I believe the OP's point was missed in the other replies. I also would like to know what people at misc@ think about such a scheme. On Tue, 2007-06-12 at 03:04 -0700, Praveen wrote: > Hi, >From the man page it appears that spamd relies on > static information about spam originators. > Why not a more dynamic scheme ?. > > Why not run the content of the mail through a spam > detector (like dspam), find the spam score and make > decisions based on that. I know that spam detection > is no where near perfect but it can be used for > assigning a 'badness score' to a site(originator of > email). So a site keeps getting this score and the > average (per msg) exceeds a we black list the site for > fixed duration. Similarly for white listing. > > 'Badness score' and also be assigned for other things, > like trying to send to non-existant user (a typical > spammer probe), absence of mx entry etc. > > > A milter(sendmail/postfix) can be implemented for > this. > Thus decisions will be more dynamic and 'configuration > free'. > > Does this sound reasonable ?
Re: Spamd variation
* Praveen <[EMAIL PROTECTED]> [2007-06-12 05:14]: > Hi, >From the man page it appears that spamd relies on > static information about spam originators. > Why not a more dynamic scheme ?. No, it doesn't. please read the man page instead of trolling. > > Why not run the content of the mail through a spam > detector (like dspam), find the spam score and make > decisions based on that. I know that spam detection > is no where near perfect but it can be used for > assigning a 'badness score' to a site(originator of > email). So a site keeps getting this score and the > average (per msg) exceeds a we black list the site for > fixed duration. Similarly for white listing. > No. spamd does not do content filtering. > 'Badness score' and also be assigned for other things, > like trying to send to non-existant user (a typical > spammer probe), absence of mx entry etc. > > A milter(sendmail/postfix) can be implemented for > this. > Thus decisions will be more dynamic and 'configuration > free'. As it is, spamd in greylisting mode (the default) is very configuration free. but it sounds like you actually don't run it, and are just trolling. -Bob
Re: Spamd variation
RW wrote: > On Tue, 12 Jun 2007 03:04:23 -0700 (PDT), Praveen wrote: > > >> Hi, >> From the man page it appears that spamd relies on >> static information about spam originators. >> Why not a more dynamic scheme ?. >> >> Why not run the content of the mail through a spam >> detector (like dspam), find the spam score and make >> decisions based on that. I know that spam detection >> is no where near perfect but it can be used for >> assigning a 'badness score' to a site(originator of >> email). So a site keeps getting this score and the >> average (per msg) exceeds a we black list the site for >> fixed duration. Similarly for white listing. >> >> 'Badness score' and also be assigned for other things, >> like trying to send to non-existant user (a typical >> spammer probe), absence of mx entry etc. >> >> >> A milter(sendmail/postfix) can be implemented for >> this. >> Thus decisions will be more dynamic and 'configuration >> free'. >> >> Does this sound reasonable ? >> >> > > No. > > That would make spamd into bloatware and much less efficient. > > People who want milters, content-inspection, RBL lookups and whatever > can run them in conjunction with their MTA. > > spamd does all I want it to do with no measureable load on my system. I > do NO content inspection and there have been only 3 spams total which > got to any user in this domain since 1/1/7. > > Content inspection practitioners are always playing catchup and > fiddling with ham/spam training for their toys and then along comes the > next trick of the spammers = back to square one. > > i second this. started working at my current job and there was a ton of spam coming through until i setup spamd. some spam outfits, e.g. OptInBig.com, took a bit of energy and analysis to block (thrown into blacklists) but now that it's done, we get very little spam. the amount of energy i have to expend on a regular basis to keep spamd working effectively is approximately 0. > Thanks to beck@ and company I don't have to play that silly game. > > here here! carefully reading the RFCs can be a beautiful thing indeed. cheers, jake > R\/\/. > > In the beginning was The Word > and The Word was Content-type: text/plain > The Word of Rod.
Re: Spamd variation
Praveen wrote: From the man page it appears that spamd relies on static information about spam originators. greylisting is pretty dynamic. --- Lars Hansson
Re: Spamd variation
On Tue, 12 Jun 2007 03:04:23 -0700 (PDT), Praveen wrote: >Hi, > From the man page it appears that spamd relies on >static information about spam originators. >Why not a more dynamic scheme ?. > >Why not run the content of the mail through a spam >detector (like dspam), find the spam score and make >decisions based on that. I know that spam detection >is no where near perfect but it can be used for >assigning a 'badness score' to a site(originator of >email). So a site keeps getting this score and the >average (per msg) exceeds a we black list the site for >fixed duration. Similarly for white listing. > >'Badness score' and also be assigned for other things, >like trying to send to non-existant user (a typical >spammer probe), absence of mx entry etc. > > >A milter(sendmail/postfix) can be implemented for >this. >Thus decisions will be more dynamic and 'configuration >free'. > >Does this sound reasonable ? > No. That would make spamd into bloatware and much less efficient. People who want milters, content-inspection, RBL lookups and whatever can run them in conjunction with their MTA. spamd does all I want it to do with no measureable load on my system. I do NO content inspection and there have been only 3 spams total which got to any user in this domain since 1/1/7. Content inspection practitioners are always playing catchup and fiddling with ham/spam training for their toys and then along comes the next trick of the spammers = back to square one. Thanks to beck@ and company I don't have to play that silly game. R\/\/. In the beginning was The Word and The Word was Content-type: text/plain The Word of Rod.
Spamd variation
Hi, From the man page it appears that spamd relies on static information about spam originators. Why not a more dynamic scheme ?. Why not run the content of the mail through a spam detector (like dspam), find the spam score and make decisions based on that. I know that spam detection is no where near perfect but it can be used for assigning a 'badness score' to a site(originator of email). So a site keeps getting this score and the average (per msg) exceeds a we black list the site for fixed duration. Similarly for white listing. 'Badness score' and also be assigned for other things, like trying to send to non-existant user (a typical spammer probe), absence of mx entry etc. A milter(sendmail/postfix) can be implemented for this. Thus decisions will be more dynamic and 'configuration free'. Does this sound reasonable ? regards Praveen ___ You snooze, you lose. Get messages ASAP with AutoCheck in the all-new Yahoo! Mail Beta. http://advision.webevents.yahoo.com/mailbeta/newmail_html.html